Subscribe / Unsubscribe Enewsletters | Login | Register

Pencil Banner

What's new with Java

Michael Horowitz | Nov. 3, 2014
There are three latest versions of Java. Tweaking Java to disable SSL 3.0. Securing Java. Explaining the security messages when running Java applets. Expiring old versions of Java.

I'm sick of Java, as you probably are too. That said, there have been a number of changes to Java lately that may have flown under the radar. So, here is what you need to know about where things stand.

To begin with, there are now three latest/current versions of Java.

We have seen two "current" versions in the past as Oracle has maintained two versions of Java allowing for a migration to a newer version. They are doing that again, releasing bug fixes for both the older version 7 and the newer version 8. Version 7 is scheduled to be retired in April 2015.

Windows users running an old copy of Java 7 may get upgraded to the latest edition of Java 7 or to Java 8. The Java automatic update system stays within Java 7. This will not change until "early 2015". However, other types of Java updaters, may bump up a Java 7 installation to Java 8.

The latest version of Java 8, Update 25, was released on October 14, 2014. As of then, new installations of Java install version 8 rather than version 7. 

There are, for the first time, two latest versions of Java 7; Update 71 and Update 72. By default, Oracle updates older versions of Java 7 to Update 71.

Update 72 has the same security related bug fixes as Update 71, but also includes additional non-security patches. According to Oracle, Update 72 is "... for developers and users requiring additional non-security improvements or for testing updated features". The additional fixes in Update 72 will be rolled into the next revision of Java 7.

The recent POODLE flaw in SSL version 3 serves as a reminder to disable SSL version 3 whenever possible, and, to enable all three versions of TLS (1.0, 1.1 and 1.2). Webmasters need to do this on their servers, regular folks need to do it in their browser(s).

What no one has mentioned so far (that I have seen) is that Java users need to make these same tweaks.

On a Windows system (I have not tested OS X or Linux), open the Java thingy in the Control Panel and go to the Advanced tab. Scroll down to the bottom. The SSL/TLS options there look like those in Internet Explorer, but they are unrelated.

By default Java 7 enables SSL 3.0 and TLS 1.1, the same defaults as Internet Explorer. Turn off SSL 3.0 and turn on TLS 1.1 and TLS 1.2. Java 8 enables all four protocols by default, so all that needs to be done is to disable SSLv3. For both Java 7 and 8, there is another interesting checkbox just below the SSL/TLS options. It is called "Suppress sponsor offers when installing or updating Java". It is off by default, I would turn it on.


1  2  3  4  Next Page 

Sign up for CIO Asia eNewsletters.